This is a PoC of the kubernetes-vault-client using an instance of Vault running in -dev
mode and local instance of minikube. The kubernetes-vault-client tool is run in an init container and uses Vault kubernetes auth to pull secrets from Vault and dump then into a volume that can be mounted in any container in a pod, preferably as an emptyDir
with media: Memory
. It is meant to be run on a laptop and is used to demonstrate the various configurations necessary to get it working.
- OPTIONAL: Install & Start Minikube
- OPTIONAL: Install & Start Vault Server
- OPTIONAL: Create Policy for Humans & Secret Namespace
- OPTIONAL: Create Secret
If you do not have access to a kubernetes cluster, click here for instructions on how to install minikube.
If you do not have access to a Vault server, click here to download Vault for your operating system and use the following command to start Vault on you laptop or dekstop:
$ vault server -dev -dev-listen-address="0.0.0.0:8200"
$ export VAULT_ADDR=__CHANGEME__
$ export KUBE_CA_CERT_PATH=__CHANGEME__
$ vault auth enable kubernetes
$ vault write auth/kubernetes/config \
token_reviewer_jwt="$default_token_value" \
kubernetes_host=https://192.168.99.101:8443 \
kubernetes_ca_cert=@$minikube_ca_cert_path